[OpenAFS] mod_waklog question

Jason Edgecombe jwedgeco@uncc.edu
Mon, 3 Jul 2017 12:06:24 -0400


--f403045fdfa43c7d4905536bf50e
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

=E2=80=8Bmod_waklog is meant to be used as an .htaccess-style mechanism=E2=
=80=8B to let
users supply credentials via a web browser so that apache can use those
credentials to access user files. In this case, the apache process switches
between multiple AFS users and the tokens only need to live for the brief
life of the http request/session.

Your timeout issues suggest that you are running apache with long-running
tokens as a single user and those tokens need to be automatically renewed.
If you're using this "apache needs persistent AFS access via a service
account" use case, then you need to use k5start and a local keytab:
https://www.eyrie.org/~eagle/software/kstart/k5start.html

k5start is available in EPEL. I think there are debian packages as well.

Jason


---------------------------------------------------------------------------
Jason Edgecombe | Linux Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-1943
jwedgeco@uncc.edu | http://engr.uncc.edu |  Facebook
---------------------------------------------------------------------------
If you are not the intended recipient of this transmission or a person
responsible for delivering it to the intended recipient, any disclosure,
copying, distribution, or other use of any of the information in this
transmission is strictly prohibited. If you have received this transmission
in error, please notify me immediately by reply e-mail or by telephone at
704-687-1943.  Thank you.

On Mon, Jul 3, 2017 at 11:52 AM, Benjamin Kaduk <kaduk@mit.edu> wrote:

> On Mon, Jul 03, 2017 at 04:45:16PM +0200, Andreas Ladanyi wrote:
> > Hi,
> >
> > I test Apache2 with mod_waklog.
> >
> > When will waklog autorenew the ticket/token ?
> >
> > After a duration of time apache is running i get error messages in the
> > apache log that apache cant write to afs path. Maybe this could be
> > because the ticket/token is invalid.
> >
> > I would expect that waklog will renew this automatically ?!
> >
> > Or do i have to restart apache all days or increase the ticket lifetime
> > to an exorbitant number ?
>
> I am far from an expert on mod_waklog (mostly, I just sat through a
> presentation
> or two on it and never used it), but I had the impression that it was
> normally used to get credentials from the remote user, [by some unspecifi=
ed
> mechanism populate KRB5CCNAME with a krb5 ccache for that user], and then
> aklog to let apache access AFS as the remote user for servicing that give=
n
> request, then clean up/unlog the acquired token.  That doesn't really see=
m
> consistent with what you describe, which is as if apache has a keytab of
> its own and is using *those* kerberos credentials (not those of the remot=
e
> user) to acquire a token.  If that's the case, then that a token expires
> is not very surpirsing, but I could not comment about whether expecting
> automatic renewal is reasonable, since I don't know about that use case
> at all.
>
> -Ben
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>

--f403045fdfa43c7d4905536bf50e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:arial,he=
lvetica,sans-serif">=E2=80=8Bmod_waklog is meant to be used as an .htaccess=
-style mechanism=E2=80=8B to let users supply credentials via a web browser=
 so that apache can use those credentials to access user files. In this cas=
e, the apache process switches between multiple AFS users and the tokens on=
ly need to live for the brief life of the http request/session.</div><div c=
lass=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif"><br=
></div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sa=
ns-serif">Your timeout issues suggest that you are running apache with long=
-running tokens as a single user and those tokens need to be automatically =
renewed. If you&#39;re using this &quot;apache needs persistent AFS access =
via a service account&quot; use case, then you need to use k5start and a lo=
cal keytab:</div><div class=3D"gmail_default"><font face=3D"arial, helvetic=
a, sans-serif"><a href=3D"https://www.eyrie.org/~eagle/software/kstart/k5st=
art.html">https://www.eyrie.org/~eagle/software/kstart/k5start.html</a></fo=
nt><br></div><div class=3D"gmail_default"><font face=3D"arial, helvetica, s=
ans-serif"><br></font></div><div class=3D"gmail_default"><font face=3D"aria=
l, helvetica, sans-serif">k5start is available in EPEL. I think there are d=
ebian packages as well.</font></div><div class=3D"gmail_default"><font face=
=3D"arial, helvetica, sans-serif"><br></font></div><div class=3D"gmail_defa=
ult"><font face=3D"arial, helvetica, sans-serif">Jason</font></div><div cla=
ss=3D"gmail_default"><font face=3D"arial, helvetica, sans-serif"><br></font=
></div><div class=3D"gmail_extra"><br clear=3D"all"><div><div class=3D"gmai=
l_signature" data-smartmail=3D"gmail_signature"><div dir=3D"ltr">----------=
-----------------------------------------------------------------<br>
Jason Edgecombe | Linux Administrator<br>
UNC Charlotte | The William States Lee College of Engineering<br>
9201 University City Blvd. | Charlotte, NC 28223-0001<br>
Phone: <a href=3D"tel:704-687-1943" value=3D"+17046871943" target=3D"_blank=
"><span>704</span>-<span>687</span>-<span>1943</span></a><br>
<a href=3D"mailto:jwedgeco@uncc.edu" target=3D"_blank">jwedgeco@uncc.edu</a=
> | <a href=3D"http://engr.uncc.edu" target=3D"_blank">http://engr.uncc.edu=
</a> | =C2=A0Facebook<br>
---------------------------------------------------------------------------=
<br>
If you are not the intended recipient of this transmission or a person=20
responsible for delivering it to the intended recipient, any disclosure,
 copying, distribution, or other use of any of the information in this=20
transmission is strictly prohibited. If you have received this=20
transmission in error, please notify me immediately by reply e-mail or=20
by telephone at<br>
<a href=3D"tel:704-687-1943" value=3D"+17046871943" target=3D"_blank"><span=
>704</span>-<span>687</span>-<span>1943</span></a>.=C2=A0 Thank you.</div><=
/div></div>
<br><div class=3D"gmail_quote">On Mon, Jul 3, 2017 at 11:52 AM, Benjamin Ka=
duk <span dir=3D"ltr">&lt;<a href=3D"mailto:kaduk@mit.edu" target=3D"_blank=
">kaduk@mit.edu</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" =
style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On =
Mon, Jul 03, 2017 at 04:45:16PM +0200, Andreas Ladanyi wrote:<br>
&gt; Hi,<br>
&gt;<br>
&gt; I test Apache2 with mod_waklog.<br>
&gt;<br>
&gt; When will waklog autorenew the ticket/token ?<br>
&gt;<br>
&gt; After a duration of time apache is running i get error messages in the=
<br>
&gt; apache log that apache cant write to afs path. Maybe this could be<br>
&gt; because the ticket/token is invalid.<br>
&gt;<br>
&gt; I would expect that waklog will renew this automatically ?!<br>
&gt;<br>
&gt; Or do i have to restart apache all days or increase the ticket lifetim=
e<br>
&gt; to an exorbitant number ?<br>
<br>
I am far from an expert on mod_waklog (mostly, I just sat through a present=
ation<br>
or two on it and never used it), but I had the impression that it was<br>
normally used to get credentials from the remote user, [by some unspecified=
<br>
mechanism populate KRB5CCNAME with a krb5 ccache for that user], and then<b=
r>
aklog to let apache access AFS as the remote user for servicing that given<=
br>
request, then clean up/unlog the acquired token.=C2=A0 That doesn&#39;t rea=
lly seem<br>
consistent with what you describe, which is as if apache has a keytab of<br=
>
its own and is using *those* kerberos credentials (not those of the remote<=
br>
user) to acquire a token.=C2=A0 If that&#39;s the case, then that a token e=
xpires<br>
is not very surpirsing, but I could not comment about whether expecting<br>
automatic renewal is reasonable, since I don&#39;t know about that use case=
<br>
at all.<br>
<br>
-Ben<br>
______________________________<wbr>_________________<br>
OpenAFS-info mailing list<br>
<a href=3D"mailto:OpenAFS-info@openafs.org">OpenAFS-info@openafs.org</a><br=
>
<a href=3D"https://lists.openafs.org/mailman/listinfo/openafs-info" rel=3D"=
noreferrer" target=3D"_blank">https://lists.openafs.org/<wbr>mailman/listin=
fo/openafs-info</a><br>
</blockquote></div><br></div></div>

--f403045fdfa43c7d4905536bf50e--